Epidemiology & Technology

CVAT Install behind Nginx Reverse Proxy and CSRF Mitigation

I recently installed CVAT on a local VM. CVAT uses docker and installs a local Traefik container within the VM. The docs give instructions on how to run it on domain with free SSL by LetsEncrypt, but these docs assume that SSL termination happens on Traefik reverse proxy. However, In an enterprise setup when you already have a reverse proxy in charge of your public facing IP, the SSL termination happens there and it needs to forward all traffic for teh cvat subdomain to the VM.

In a nutshell, how to run the CVAT VM behind NginX reverse proxy

CVAT VM Configuration

Add environment variables in BASH profile

nano ~/.profile

export CVAT_HOST=your.domain.tld

Save. Logout from VM. Log Back in

GIT Pull

cd ~
git clone https://github.com/cvat-ai/cvat
cd cvatCode language: PHP (php)

CSRF settings

Source: https://github.com/cvat-ai/cvat/pull/6322#issuecomment-2257131513

https://docs.cvat.ai/v2.3.0/docs/administration/advanced/ldap/#the-creation-of-settingspy

nano ~/cvat/local-settings.pyCode language: JavaScript (javascript)

Overlaying production

# Overlaying production
from cvat.settings.production import *
CSRF_TRUSTED_ORIGINS = ['https://your.domain.tld']Code language: PHP (php)

Next File

nano ~/cvat/docker-compose.settings_overlay.local.ymlCode language: JavaScript (javascript)

Contents of file

services:
  cvat_server:
    environment:
      DJANGO_SETTINGS_MODULE: settings
    volumes:
      - ./local-settings.py:/home/django/settings.py:roCode language: JavaScript (javascript)

Create Docker Containers

docker compose -f ~/cvat/docker-compose.yml    \
    -f ~/cvat/docker-compose.settings_overlay.local.yml     \
    up -dCode language: JavaScript (javascript)

Next Steps: Email

Am looking at how to use steps in the following for email configuration: https://github.com/cvat-ai/cvat/issues/8152#issuecomment-2262198765

https://github.com/cvat-ai/cvat/issues/7436#issuecomment-2254806378

Disable self registration

Delete the path in Django

# nano ~/cvat/cvat/apps/authentication/urls.py

path('register', RegisterView.as_view(), name='rest_register')Code language: PHP (php)

Rebuild Docker Image

Disable access to Register Route – can be managed inside reverse proxy – https://github.com/cvat-ai/cvat/issues/1283#issuecomment-1284977632

      
# Inside Nginx Reverse Proxy Conf File - 
 location /api/auth/register {
                return 301 https://$server_name$request_uri;
        }
Code language: PHP (php)

UI changes

cvat-ui/src/components/register-page/*
cvat-ui/src/containers/register-page/*

 - Remove Register Route
cvat-ui/src/components/cvat-app.tsx

Enable Email Verification

https://docs.cvat.ai/docs/administration/basics/installation/#email-verification

nano ~/cvat/cvat/settings/base.py


# By default, email backend is django.core.mail.backends.smtp.EmailBackend
# But it won't work without additional configuration, so we set it to None
# to check configuration and throw ImproperlyConfigured if thats a case
# EMAIL_BACKEND = None
# ACCOUNT_EMAIL_VERIFICATION = 'none'
# ACCOUNT_AUTHENTICATION_METHOD = 'username_email'

ACCOUNT_AUTHENTICATION_METHOD = 'username_email'
ACCOUNT_CONFIRM_EMAIL_ON_GET = True
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_EMAIL_VERIFICATION = 'mandatory'

# Email backend settings for Django
EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'

host: EMAIL_HOST
port: EMAIL_PORT
username: EMAIL_HOST_USER
password: EMAIL_HOST_PASSWORD
use_tls: EMAIL_USE_TLS
use_ssl: EMAIL_USE_SSL
timeout: EMAIL_TIMEOUT
ssl_keyfile: EMAIL_SSL_KEYFILE
ssl_certfile: EMAIL_SSL_CERTFILECode language: PHP (php)

Rebuild comtainers

Building CVAT container after source code changes

cd ~/cvat/

docker compose \
     -f docker-compose.yml \
     -f docker-compose.dev.yml \
     -f docker-compose.settings_overlay.local.yml     \
      build

docker compose \
     -f docker-compose.yml \
     -f docker-compose.settings_overlay.local.yml     \
      up -d


Code language: JavaScript (javascript)

TUS Upload Issues

Unable to upload annotations to cvat · Issue #8153 · cvat-ai/cvat (github.com)

https://github.com/cvat-ai/cvat/issues/8153#issuecomment-2362841882

# File: cvat/cvat/apps/engine/mixins.py
            location = request.build_absolute_uri()
 -          if 'HTTP_X_FORWARDED_HOST' not in request.META:
 +          if 'HTTP_ORIGIN' in request.META:
                         location = request.META.get('HTTP_ORIGIN') + request.META.get('PATH_INFO')Code language: PHP (php)

The debuld containers

docker compose \
     -f docker-compose.yml \
     -f docker-compose.dev.yml \
     -f docker-compose.settings_overlay.local.yml     \
      build

docker compose \
     -f docker-compose.yml \
     -f docker-compose.settings_overlay.local.yml     \
      up -d
Code language: CSS (css)

Docker Volumes used

cvat_db: PostgreSQL database files, used to store information about users, tasks, projects, annotations, etc. Mounted into cvat_db container by /var/lib/postgresql/data path.

cvat_data: used to store uploaded and prepared media data. Mounted into cvat container by /home/django/data path.

cvat_logs: used to store logs of CVAT backend processes managed by supevisord. Mounted into cvat container by /home/django/logs path.

cvat_keys: used to store user ssh keys needed for synchronization with a remote Git repository. Mounted into cvat container by /home/django/keys path.

cvat_events: this is an optional volume that is used only when Analytics component is enabled and is used to store Elasticsearch database files. Mounted into cvat_elasticsearch container by /usr/share/elasticsearch/data path

Related Posts